Releases: erlang/otp
OTP 28.5
Patch Package: OTP 28.5
Git Tag: OTP-28.5
Date: 2026-04-23
Trouble Report Id: OTP-16607, OTP-19162, OTP-19967, OTP-20038,
OTP-20043, OTP-20082, OTP-20094, OTP-20098,
OTP-20101, OTP-20106
Seq num: GH-10667, GH-10812, GH-10915, GH-10967,
OTP-16608, PR-10431, PR-10881, PR-10908,
PR-10924, PR-10957, PR-10976, PR-11002,
PR-11045
System: OTP
Release: 28
Application: erl_interface-5.7, erts-16.4, mnesia-4.25.3,
ssl-11.6
Predecessor: OTP 28.4.3
Check out the git tag OTP-28.5, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
HIGHLIGHTS
-
There is a new "Secure Coding Guidelines" document in Design Principles describing how to write secure Erlang code.
Own Id: OTP-20043
Application(s): otp
Related Id(s): PR-10431
OTP-28.5
Improvements and New Features
-
There is a new "Secure Coding Guidelines" document in Design Principles describing how to write secure Erlang code.
Own Id: OTP-20043
Related Id(s): PR-10431*** HIGHLIGHT ***
erl_interface-5.7
The erl_interface-5.7 application can be applied independently of other applications on a full OTP 28 installation.
Improvements and New Features
-
A new
configureoption--{enable,disable}-use-embedded-3pp-alternativeshas been added. When enabled,configureis forced to find alternatives, to a subset, of the embedded third-party products (3pps) in the runtime system, and when disabled,configurewill use all internal embedded 3pps. Currently this option affectszstd,zlib,ryu(withSTL),opensslandtcl. The default is to use all built-in embedded 3pps except forzlibwhich by default will usezlibon the OS if available.Requirements for alternatives:
zstd- Static library and include files of at least version 1.5.6 needs to be available.zlib- Library and include files of at least version 1.2.5 needs to be available.ryu(withSTL) - A usable C++ compiler with C++17 support.openssl- No requirements. Our own MD5 implementation will be used.tcl- Thestrerrorname_np()function (introduced in glibc 2.32) mapping errno integers to symbolic names needs to be available.
The argument
embedded_3ppshas been added toerlang:system_info/1. It returns a map with information about the use of embedded 3pps in the runtime system.Own Id: OTP-20106
Related Id(s): PR-11045
Known Bugs and Problems
-
The
eiAPI for decoding/encoding terms is not fully 64-bit compatible since terms that have a representation on the external term format larger than 2 GB cannot be handled.Own Id: OTP-16607
Related Id(s): OTP-16608
erts-16.4
The erts-16.4 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed bug in
enif_make_map_from_arraysfor arrays with at least 33 keys. If duplicate keys existed, instead of failing, it would skip the duplicates. If less than 33 unique keys existed, an internally inconsistent and broken map was returned.Own Id: OTP-20098
Related Id(s): PR-10976 -
Fixed an issue when supplying the args_file option to erl.exe on windows that did not handle unicode characters correctly.
Own Id: OTP-20101
Related Id(s): GH-10667
Improvements and New Features
-
A new
configureoption--{enable,disable}-use-embedded-3pp-alternativeshas been added. When enabled,configureis forced to find alternatives, to a subset, of the embedded third-party products (3pps) in the runtime system, and when disabled,configurewill use all internal embedded 3pps. Currently this option affectszstd,zlib,ryu(withSTL),opensslandtcl. The default is to use all built-in embedded 3pps except forzlibwhich by default will usezlibon the OS if available.Requirements for alternatives:
zstd- Static library and include files of at least version 1.5.6 needs to be available.zlib- Library and include files of at least version 1.2.5 needs to be available.ryu(withSTL) - A usable C++ compiler with C++17 support.openssl- No requirements. Our own MD5 implementation will be used.tcl- Thestrerrorname_np()function (introduced in glibc 2.32) mapping errno integers to symbolic names needs to be available.
The argument
embedded_3ppshas been added toerlang:system_info/1. It returns a map with information about the use of embedded 3pps in the runtime system.Own Id: OTP-20106
Related Id(s): PR-11045
Full runtime dependencies of erts-16.4
kernel-9.0, sasl-3.3, stdlib-4.1
mnesia-4.25.3
The mnesia-4.25.3 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Added documentation for
user_propertiesand functionsread_table_property/2,write_table_property/2,delete_table_property. Enhanced documentation forfrag_properties. -
Fixed a bug where stacktrace was not returned from
mnesia:transaction/1when transaction aborts with an error exception.
Full runtime dependencies of mnesia-4.25.3
erts-9.0, kernel-5.3, stdlib-5.0
ssl-11.6
Note! The ssl-11.6 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependencies have to be satisfied:
-- crypto-5.8 (first satisfied in OTP 28.3)
-- public_key-1.20.3 (first satisfied in OTP 28.4.2)
Fixed Bugs and Malfunctions
-
Preserve inet option order, as inet_backend option must be first option. Will make inet_backend option work for ssl independently of number of inet supplied options.
Own Id: OTP-19162
Related Id(s): PR-10908 -
Missing conformance check for signature algorithms in TLS-1.3 could cause selection of incompatible certificate when a server is configured with more than one possible certificate.
Improvements and New Features
-
Avoid unnecessary memory consumption for temporary processes in a supervision tree.
Own Id: OTP-19967
Related Id(s): PR-10957
Full runtime dependencies of ssl-11.6
crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.20.3, runtime_tools-1.15.1, stdlib-7.0
Thanks to
felipe stival, Hewwho, Hugo BaraΓΊna, Nick Vatamaniuc, Viktor SΓΆderqvist, William Yang
OTP 28.4.3
Patch Package: OTP 28.4.3
Git Tag: OTP-28.4.3
Date: 2026-04-21
Trouble Report Id: OTP-20081, OTP-20086, OTP-20104
Seq num: #10968, CVE-2026-32147, PR-10985, PR-11027
System: OTP
Release: 28
Application: kernel-10.6.3, ssh-5.5.2
Predecessor: OTP 28.4.2
Check out the git tag OTP-28.4.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
OTP-28.4.3
Fixed Bugs and Malfunctions
-
Fix the
otp_patch_applyscript to properly handle installation of documentation for OTP versions with more than one digit in version parts less significant than the major version.Own Id: OTP-20086
Related Id(s): PR-10985
kernel-10.6.3
The kernel-10.6.3 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
On Windows, sockets has to be bound when using 'socket'. Therefor when using gen_tcp with inet_backend = socket, gen_tcp_socket bind even if the caller has not provided an explicit bind address. In that case it attempts to locate a "proper" address on its own. But if the connect address is the loopback address, this could lead to an attempt to bind to an external interface. So, this has now been changed so that if the connect address is the loopback address, the loopback address will also be used when binding.
Own Id: OTP-20104
Related Id(s): #10968
Full runtime dependencies of kernel-10.6.3
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0
ssh-5.5.2
Note! The ssh-5.5.2 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependency has to be satisfied:
-- crypto-5.7 (first satisfied in OTP 28.1)
Fixed Bugs and Malfunctions
-
Fixed a vulnerability in the SFTP server where file attributes could be modified outside the configured root directory. When using FSETSTAT on an open file handle, the operation used the path stored in the handle without verifying it was within the root directory, allowing attribute changes to files outside the chroot boundary.
Thanks to John Downey.
Own Id: OTP-20081
Related Id(s): PR-11027, CVE-2026-32147
Full runtime dependencies of ssh-5.5.2
crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0
OTP 27.3.4.11
=== OTP-27.3.4.11 === Changed Applications: - erts-15.2.7.8 - mnesia-4.23.5.2 - ssh-5.2.11.7 Unchanged Applications: - asn1-5.3.4.2 - common_test-1.27.7 - compiler-8.6.1.4 - crypto-5.5.3.2 - debugger-5.5.0.1 - dialyzer-5.3.1 - diameter-2.4.1.1 - edoc-1.3.2 - eldap-1.2.14.1 - erl_interface-5.5.2 - et-1.7.1 - eunit-2.9.1 - ftp-1.2.3 - inets-9.3.2.4 - jinterface-1.14.1 - kernel-10.2.7.4 - megaco-4.7.2.1 - observer-2.17 - odbc-2.15 - os_mon-2.10.1 - parsetools-2.6 - public_key-1.17.1.2 - reltool-1.0.1 - runtime_tools-2.1.1 - sasl-4.2.2.1 - snmp-5.18.2 - ssl-11.2.12.7 - stdlib-6.2.2.3 - syntax_tools-3.2.2.2 - tftp-1.2.2.1 - tools-4.1.1 - wx-2.4.3.1 - xmerl-2.1.3.3
OTP 26.2.5.20
=== OTP-26.2.5.20 === Changed Applications: - erts-14.2.5.14 - ssh-5.1.4.15 Unchanged Applications: - asn1-5.2.2.1 - common_test-1.26.2.4 - compiler-8.4.3.4 - crypto-5.4.2.4 - debugger-5.3.4 - dialyzer-5.1.3.1 - diameter-2.3.2.2 - edoc-1.2.1 - eldap-1.2.12 - erl_docgen-1.5.2 - erl_interface-5.5.1 - et-1.7 - eunit-2.9 - ftp-1.2.1.1 - inets-9.1.0.6 - jinterface-1.14 - kernel-9.2.4.11 - megaco-4.5.0.1 - mnesia-4.23.1.2 - observer-2.15.1 - odbc-2.14.2 - os_mon-2.9.1 - parsetools-2.5 - public_key-1.15.1.6 - reltool-1.0 - runtime_tools-2.0.1 - sasl-4.2.1 - snmp-5.15 - ssl-11.1.4.12 - stdlib-5.2.3.6 - syntax_tools-3.1.0.1 - tftp-1.1.1.1 - tools-3.6 - wx-2.4.1.1 - xmerl-1.3.34.3
OTP 29.0-rc3
Inital Release: OTP 29.0
Git Tag: OTP-29.0
Date: 2026-04-15
Trouble Report Id: OTP-16607, OTP-19587, OTP-19611, OTP-19643,
OTP-19663, OTP-19672, OTP-19695, OTP-19708,
OTP-19709, OTP-19713, OTP-19734, OTP-19744,
OTP-19747, OTP-19750, OTP-19751, OTP-19763,
OTP-19766, OTP-19783, OTP-19784, OTP-19785,
OTP-19786, OTP-19793, OTP-19800, OTP-19801,
OTP-19807, OTP-19809, OTP-19811, OTP-19815,
OTP-19822, OTP-19826, OTP-19834, OTP-19838,
OTP-19842, OTP-19853, OTP-19858, OTP-19866,
OTP-19874, OTP-19882, OTP-19887, OTP-19898,
OTP-19903, OTP-19906, OTP-19910, OTP-19912,
OTP-19917, OTP-19918, OTP-19919, OTP-19921,
OTP-19922, OTP-19925, OTP-19927, OTP-19932,
OTP-19933, OTP-19934, OTP-19935, OTP-19936,
OTP-19938, OTP-19942, OTP-19943, OTP-19949,
OTP-19956, OTP-19960, OTP-19963, OTP-19964,
OTP-19965, OTP-19966, OTP-19968, OTP-19969,
OTP-19975, OTP-19980, OTP-19982, OTP-19991,
OTP-19995, OTP-19996, OTP-19997, OTP-20001,
OTP-20002, OTP-20003, OTP-20004, OTP-20010,
OTP-20013, OTP-20015, OTP-20016, OTP-20017,
OTP-20019, OTP-20020, OTP-20023, OTP-20025,
OTP-20026, OTP-20028, OTP-20029, OTP-20030,
OTP-20031, OTP-20032, OTP-20034, OTP-20035,
OTP-20036, OTP-20045, OTP-20048, OTP-20054,
OTP-20055, OTP-20059, OTP-20061, OTP-20066,
OTP-20069, OTP-20070, OTP-20071, OTP-20072,
OTP-20073, OTP-20076, OTP-20077, OTP-20078,
OTP-20079, OTP-20080, OTP-20088, OTP-20090,
OTP-20092, OTP-20095, OTP-20099
Seq num: GH-10071, GH-10125, GH-10151, GH-10214,
GH-10260, GH-10341, GH-10345, GH-10557,
GH-10650, GH-10807, GH-8569, GH-8841,
GH-8993, GH-9822, OTP-16608, OTP-19652,
OTP-19775, OTP-19779, OTP-19827, PR-10013,
PR-10033, PR-10078, PR-10114, PR-10115,
PR-10126, PR-10134, PR-10144, PR-10145,
PR-10161, PR-10166, PR-10168, PR-10187,
PR-10189, PR-10193, PR-10195, PR-10197,
PR-10202, PR-10207, PR-10230, PR-10234,
PR-10243, PR-10253, PR-10259, PR-10269,
PR-10276, PR-10277, PR-10281, PR-10304,
PR-10338, PR-10348, PR-10372, PR-10382,
PR-10387, PR-10417, PR-10421, PR-10422,
PR-10426, PR-10433, PR-10449, PR-10453,
PR-10478, PR-10510, PR-10511, PR-10514,
PR-10519, PR-10524, PR-10532, PR-10549,
PR-10554, PR-10556, PR-10564, PR-10568,
PR-10571, PR-10573, PR-10578, PR-10579,
PR-10580, PR-10585, PR-10592, PR-10598,
PR-10601, PR-10614, PR-10615, PR-10617,
PR-10619, PR-10626, PR-10642, PR-10646,
PR-10647, PR-10653, PR-10656, PR-10674,
PR-10710, PR-10718, PR-10730, PR-10735,
PR-10739, PR-10753, PR-10754, PR-10755,
PR-10770, PR-10782, PR-10783, PR-10801,
PR-10804, PR-10805, PR-10814, PR-10817,
PR-10818, PR-10819, PR-10820, PR-10821,
PR-10824, PR-10830, PR-10836, PR-10838,
PR-10839, PR-10870, PR-10892, PR-10894,
PR-10910, PR-10938, PR-10948, PR-10949,
PR-10950, PR-10951, PR-10958, PR-10962,
PR-10965, PR-10969, PR-10970, PR-10979,
PR-10986, PR-10998, PR-11004, PR-11010,
PR-7118, PR-7315, PR-9115, PR-9125, PR-9134,
PR-9153, PR-9209, PR-9223, PR-9315, PR-9374,
PR-9475, PR-9712, PR-9814, PR-9864, PR-9866,
PR-9894, PR-9899, PR-9934, PR-9940, PR-9984
System: OTP
Release: 29
Application: asn1-5.5, common_test-1.31, compiler-10.0,
crypto-5.9, debugger-7.0, dialyzer-6.0,
diameter-2.7, edoc-1.5, eldap-1.3,
erl_interface-5.7, erts-17.0, et-1.8,
eunit-2.11, ftp-1.2.5, inets-9.7,
jinterface-1.16, kernel-11.0, megaco-4.9,
mnesia-4.26, observer-2.19, odbc-2.17,
os_mon-2.12, parsetools-2.8, public_key-1.21,
reltool-1.1, runtime_tools-2.4, sasl-4.4,
snmp-5.20.3, ssh-6.0, ssl-11.6, stdlib-8.0,
syntax_tools-4.1, tftp-1.3, tools-4.2,
wx-2.6, xmerl-2.2
Predecessor: OTP
Check out the git tag OTP-29.0, and build a full OTP system including documentation.
HIGHLIGHTS
-
The JIT now generates better code for matching or creating binaries with multiple little-endian segments.
Own Id: OTP-19747
Application(s): erts
Related Id(s): [PR-10126] -
In the documentation for the [
compile] module, a section has been added with recommendations for implementors of languages running on the BEAM. Documentation has also been added for theto_abstr,to_exp, andfrom_abstroptions.The documentation for [erlc] now lists
.abstras one of the supported options.When compiling with the
to_abstroption, the resulting.abstrfile now retains any-docattributes present in the source code.Own Id: OTP-19784
Application(s): compiler, erts
Related Id(s): [PR-10230], [PR-10234] -
Native records as described in [EEP-79] has been implemented.
A native record is a data structure similar to the traditional tuple-based records, except that is a true data type.
Native records are considered experimental in Erlang/OTP 29 and possibly also in Erlang/OTP 30, meaning that their behavior may change, potentially requiring updates to applications that use them.
Own Id: OTP-19785
Application(s): compiler, debugger, dialyzer, erts, stdlib
Related Id(s): [PR-10617] -
The guard BIF
is_integer/3has been added. It follows the design of the original EEP-16, only changing the name fromis_betweentois_integer. This BIF takes in 3 parameters,Term,LowerBound, andUpperBound.It returns
trueifTerm,LowerBound, andUpperBoundare all integers, andLowerBound =< Term =< UpperBound; otherwise, it returns false.Example:
1> I = 42. 2> is_integer(I, 0, 100). true
Own Id: OTP-19809
Application(s): compiler, dialyzer, erts
Related Id(s): [PR-10276] -
There are new functions for random permutation of a list:
rand:shuffle/1andrand:shuffle_s/2. They are inspired by a suggestion and discussion on ErlangForums.Own Id: OTP-19826
Application(s): stdlib
Related Id(s): [PR-10281] -
In the default code path for the Erlang system, the current working directory (
.) is now in the last position instead of the first.Own Id: OTP-19842
Application(s): erts, kernel*** POTENTIAL INCOMPATIBILITY ***
-
Function application is now left associative. That means one can now write:
f(X)(Y)instead of:
(f(X))(Y)Own Id: OTP-19866
Application(s): compiler
Related Id(s): [PR-9223] -
The old-style type tests in guards (
integer,atom, and so on) have been scheduled for removal in Erlang/OTP 30. They have been deprecated for a long time.Own Id: OTP-19887
Application(s): otp
Related Id(s): [PR-10417] -
There will now be a warning when exporting variables out of a subexpression. For example:
case file:open(File, AllOpts = [write,{encoding,utf8}]) of {ok,Fd} -> {Fd,AllOpts} endTo avoid the warning, this can be rewritten to:
AllOpts = [write,{encoding,utf8}], case file:open(File, AllOpts) of {ok,Fd} -> {Fd,AllOpts} endThe warning can be suppressed by giving option
nowarn_export_var_subexprto the compiler.Own Id: OTP-19898
Application(s): compiler, stdlib
Related Id(s): [PR-9134] -
By default, the compiler will now warn for uses of the
andandoroperators.This warning can be suppressed using the
nowarn_obsolete_bool_opcompiler option.Own Id: OTP-19918
Application(s): compiler
Related Id(s): [PR-9115] -
graphis a new module that is a functional equivalent of the [digraph] and [digraph_utils] modules.Own Id: OTP-19922
Application(s): stdlib
Related Id(s): [PR-10532] -
Before Erlang/OTP 29, attempting to bind variables in a comprehension would compile successfully but fail at runtime. Example:
1> fh(List) -> [H || E <- List, H = erlang:phash2(E), H rem 10 =:= 0]. ok 2> fh(lists:seq(1, 10)). * exception error: bad filter 2614250In Erlang/OTP 29, attempting to bind a variable in a comprehension will fail by default:
1> fh(List) -> [H || E <- List, H = erlang:phash2(E), H rem ...
OTP 28.4.2
Patch Package: OTP 28.4.2
Git Tag: OTP-28.4.2
Date: 2026-04-07
Trouble Report Id: OTP-19506, OTP-19889, OTP-19931, OTP-20027,
OTP-20037, OTP-20042, OTP-20044, OTP-20046,
OTP-20047, OTP-20049, OTP-20050, OTP-20052,
OTP-20053, OTP-20056, OTP-20060, OTP-20064,
OTP-20065, OTP-20068
Seq num: CVE-2026-28810, CVE-2026-32144, ERIERL-1310,
ERIERL-1311, ERIERL-1312, GH-10454, GH-10562,
GH-10606, GH-10785, GH-10876, GH-10901,
GH-7156, GH-9476, PR-10456, PR-10569,
PR-10620, PR-10788, PR-10864, PR-10866,
PR-10867, PR-10873, PR-10874, PR-10889,
PR-10893, PR-10899, PR-10904, PR-10906,
PR-10911, PR-10941, PR-9481
System: OTP
Release: 28
Application: compiler-9.0.6, erts-16.3.1, eunit-2.10.3,
inets-9.6.2, kernel-10.6.2,
public_key-1.20.3, sasl-4.3.2, snmp-5.20.2,
ssl-11.5.4
Predecessor: OTP 28.4.1
Check out the git tag OTP-28.4.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
POTENTIAL INCOMPATIBILITIES
-
When OCSP stapling is enabled via the {stapling, staple} or {stapling, #{...}} options, the handshake now fails if the server does not provide an OCSP stapled response.
Previously, a missing OCSP staple was silently accepted (soft-fail). Since Erlang/OTP only supports OCSP via stapling with no fallback to direct OCSP queries or CRL checking, soft-fail meant no revocation check at all.
Applications that need the previous soft-fail behavior can use a custom verify_fun that accepts {bad_cert, missing_ocsp_staple}.
Own Id: OTP-20064
Application(s): ssl
Related Id(s): [PR-10941], [CVE-2026-32144]
compiler-9.0.6
The compiler-9.0.6 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
The type inference for
maps:from_list/1was incorrect: when the provided list was statically known to be bogus when non-empty (e.g. a list of atoms), the compiler assumed it would also fail when the list was empty.Own Id: OTP-19506
Related Id(s): [GH-9476], [PR-9481] -
Fixed a bug in the type analysis pass that could erroneously eliminate code blocks.
Own Id: OTP-19931
Related Id(s): [GH-10562], [PR-10569] -
A binary as the value of a
-moduledoc()attribute would be silently ignored.Own Id: OTP-20065
Related Id(s): [GH-10901], [PR-10904]
Full runtime dependencies of compiler-9.0.6
crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0
erts-16.3.1
The erts-16.3.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed a JIT bug that miscompiled expressions like
X * X + X * X.Own Id: OTP-19889
Related Id(s): [GH-10454], [PR-10456] -
Fixed bug on windows that made tools dialyzer, erlc and typer unusable in powershell or cmd.exe, when there are spaces in the installation path.
Own Id: OTP-20027
Related Id(s): [PR-10620] -
Fixed a bug with prim_tty that could occur on windows if we cannot get the console mode, mark the TTY as unavailable. This can happen when the input handle is a pipe, but the output handle is a console.
Own Id: OTP-20060
Related Id(s): [PR-10899]
Full runtime dependencies of erts-16.3.1
kernel-9.0, sasl-3.3, stdlib-4.1
eunit-2.10.3
The eunit-2.10.3 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed EUnit {node, ...} instantiation by passing node name (instead of pid) and restored net_kernel auto-start for non-distributed nodes.
Own Id: OTP-20047
Related Id(s): [PR-10788]
Full runtime dependencies of eunit-2.10.3
erts-9.0, kernel-8.3, stdlib-6.0
inets-9.6.2
The inets-9.6.2 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed authentication bypass in
httpdwhenscript_aliasmaps a URL to a directory outsidedocument_rootwithmod_authdirectory-based access controls. Themod_alias:which_alias/1function now includesscript_aliasentries so authorization is evaluated against the correct path before CGI execution. CVE-2026-28808.Own Id: OTP-20068
Improvements and New Features
-
Fixed typo in
http_server.mdguideOwn Id: OTP-20044
Related Id(s): [GH-10785], [PR-10867] -
Expected error
accept_socket_timeoutin httpd_request_handler now exits gracefully, without generating a crash and supervisor reports.Own Id: OTP-20052
Related Id(s): ERIERL-1310, [PR-10893]
Full runtime dependencies of inets-9.6.2
erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0
kernel-10.6.2
The kernel-10.6.2 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Before this patch, the Erlang/OTP built-in DNS resolver (
inet_res) used a sequential, process-global 16-bit transaction ID for UDP queries and did not implement source port randomization. Response validation relied almost entirely on this ID. Together, this made DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. The design conflicted with RFC 5452 recommendations for mitigating forged DNS answers.inet_resis intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where faked DNS responses are possible.Therefore, the documentation is been updated to clarify that
inet_resshould only be used in trusted networks and with trusted recursive resolvers.The implementation is also improved to use strong random DNS transaction IDs and source ports for every DNS transaction. This should give ample protection against brute forcing fake DNS replies, known as DNS cache poisoning, but it still does not protect against, for example, an adversary in the path of the DNS transaction that can observe the random values before faking malicious replies, an attack known as DNS spoofing.
For randomization to happen, the Crypto application has to be loaded, which most probably already should be the case for an Erlang node in an exposed network.
If performance should become an issue, for applications within safe network environments, the previous light weight behaviour can be configured by setting the resolver option
randomtofalse.Own Id: OTP-20037
Related Id(s): [PR-10864], [CVE-2026-28810]
Full runtime dependencies of kernel-10.6.2
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0
public_key-1.20.3
Note! The public_key-1.20.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependency has to be satisfied:
-- crypto-5.8 (first satisfied in OTP 28.3)
Fixed Bugs and Malfunctions
-
OCSP designated responder certificate verification now checks the CA's cryptographic signature on the responder certificate. Previously, only the issuer DN match and id-kp-OCSPSigning EKU were verified, which meant a forged self-signed certificate with the CA's subject DN would be accepted as a valid designated responder (Case 2 in RFC 6960 Β§4.2.2.2).
Own Id: OTP-20042
Related Id(s): [PR-10873], [CVE-2026-32144] -
Update handling of encoding 'OTPSubjectPublicKeyInfo' in public_key:pkix_encode/3, so that it works for update spec added in OTP-28.
Own Id: OTP-20050
Related Id(s): [GH-10876], [PR-10889]
Improvements and New Features
-
Relax upper bound of common names in certificates for pragmatic interoperability reasons.
Own Id: OTP-20049
Related Id(s): [GH-10606], [PR-10866]
Full runtime dependencies of public_key-1.20.3
asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0
sasl-4.3.2
The sasl-4.3.2 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed the typespec of release_handler:eval_appup_script/4.
Own Id: OTP-20053
Related Id(s): [PR-10906]
Full runtime dependencies of sasl-4.3.2
erts-15.0, kernel-6.0, stdlib-4.0, tools-2.6.14
snmp-5.20.2
The snmp-5.20.2 application can be applied independently of other applications on a full OTP 28 installation.
Improvements and New Features
-
The SNMP manager now propagates
msgAuthoritativeEngineIDandmsgUserNamefrom USM security parameters through to thesnmpm_user:handle_error/3callback when an incoming message is discarded due to an unknown EngineID (usmStatsUnknownEngineIDs).This enables users to programmatically discover the correct authoritative EngineID from the error callback and re-register USM credentials, supporting SNMPv3 USM EngineID discovery as described in RFC 3414, Section 4. The failed_processing_message variant has been added to the
snmpm:user:handle_error/3callback type specification.Own Id: OTP-20056
Related Id(s): ERIERL-1312, [GH-7156...
OTP 27.3.4.10
=== OTP-27.3.4.10 === Changed Applications: - compiler-8.6.1.4 - crypto-5.5.3.2 - erts-15.2.7.7 - inets-9.3.2.4 - kernel-10.2.7.4 - public_key-1.17.1.2 - sasl-4.2.2.1 - ssl-11.2.12.7 Unchanged Applications: - asn1-5.3.4.2 - common_test-1.27.7 - debugger-5.5.0.1 - dialyzer-5.3.1 - diameter-2.4.1.1 - edoc-1.3.2 - eldap-1.2.14.1 - erl_interface-5.5.2 - et-1.7.1 - eunit-2.9.1 - ftp-1.2.3 - jinterface-1.14.1 - megaco-4.7.2.1 - mnesia-4.23.5.1 - observer-2.17 - odbc-2.15 - os_mon-2.10.1 - parsetools-2.6 - reltool-1.0.1 - runtime_tools-2.1.1 - snmp-5.18.2 - ssh-5.2.11.6 - stdlib-6.2.2.3 - syntax_tools-3.2.2.2 - tftp-1.2.2.1 - tools-4.1.1 - wx-2.4.3.1 - xmerl-2.1.3.3
OTP 26.2.5.19
=== OTP-26.2.5.19 === Changed Applications: - inets-9.1.0.6 - kernel-9.2.4.11 Unchanged Applications: - asn1-5.2.2.1 - common_test-1.26.2.4 - compiler-8.4.3.4 - crypto-5.4.2.4 - debugger-5.3.4 - dialyzer-5.1.3.1 - diameter-2.3.2.2 - edoc-1.2.1 - eldap-1.2.12 - erl_docgen-1.5.2 - erl_interface-5.5.1 - erts-14.2.5.13 - et-1.7 - eunit-2.9 - ftp-1.2.1.1 - jinterface-1.14 - megaco-4.5.0.1 - mnesia-4.23.1.2 - observer-2.15.1 - odbc-2.14.2 - os_mon-2.9.1 - parsetools-2.5 - public_key-1.15.1.6 - reltool-1.0 - runtime_tools-2.0.1 - sasl-4.2.1 - snmp-5.15 - ssh-5.1.4.14 - ssl-11.1.4.12 - stdlib-5.2.3.6 - syntax_tools-3.1.0.1 - tftp-1.1.1.1 - tools-3.6 - wx-2.4.1.1 - xmerl-1.3.34.3
OTP 29.0-rc2
OTP 29.0-rc2
Erlang/OTP 29.0-rc2 is the second release candidate of three before the OTP 29.0 release.
The intention with this release is to get feedback from our users. All feedback is welcome, even if it is only to say that it works for you. We encourage users to try it out and give us feedback either by creating an issue at https://github.com/erlang/otp/issues or by posting to Erlang Forums.
All artifacts for the release can be downloaded from the Erlang/OTP Github release and you can view the new documentation at https://erlang.org/documentation/doc-17.0-rc2/doc. You can also install the latest release using kerl like this:
kerl build 29.0-rc2 29.0-rc2.
Erlang/OTP 29 is a new major release with new features, improvements as well as a few incompatibilities. Some of the new features are highlighted below.
Many thanks to all contributors!
Highlights for RC2
-
The module
io_ansiallows the user to emit Virtual Terminal Sequences (also known as ANSI sequences) to the terminal in order to add colors/styling to text or to create fully fledged terminal applications. -
The new
ct_doctestmodule allows the user to test documentation examples in Erlang module docs and documentation files. -
The
ignore_xrefattribute has been handled as a post-analysis filter by build tools such as Rebar3. In this release, [xref] itself does the filtering, ensuring that all tooling that callsxreffor any purpose can rely on these declarations to just work.
Highlights for RC1
General
-
In the default code path for the Erlang system, the current working directory (
.) is now in the last position instead of the first. -
There is no longer a 32-bit Erlang/OTP build for Windows.
New language features
-
Native records as described in EEP-79 has been implemented. A native record is a data structure similar to the traditional tuple-based records, except that is a true data type. Native records are considered experimental in Erlang/OTP 29 and possibly also in Erlang/OTP 30.
-
The new
is_integer/3guard BIF makes it possible to easily verify that a value is both an integer and within a certain range. For example:is_integer(I, 0, 100) -
Multi-valued comprehensions according to EEP 78 are now supported. For example,
[-I, I || I <- [1, 2, 3]]will produce[-1,1,-2,2,-3,3]. -
By enabling the
compr_assignfeature, it is now possible to bind variables in a comprehensions. For example:[H || E <- List, H = erlang:phash2(E), H rem 10 =:= 0]
Compiler and JIT improvements
-
In the documentation for the [
compile] module, there is now a section with recommendations for implementors of languages running on the BEAM. -
The JIT now generates better code for matching or creating binaries with multiple little-endian segments.
-
The compiler will generate more efficient code for map comprehensions with constant values that don't depend on the generator. Example:
#{K => 42 || K <- List}
Compiler warnings
There are several new compiler warnings enabled by default. For each such warning, there is an option to disable it.
-
There will now be a warning when using the
catchoperator, which has been deprecated for a long time. It is recommended to instead usetry...catchbut is also possible to disable the warning by using thenowarn_deprecated_catchoption. -
There will now be a warning when exporting variables out of a subexpression. For example:
file:open(File, AllOpts = [write, {encoding,utf8}]). This warning can be disabled using thenowarn_export_var_subexprcompiler option. -
The compiler will now warn for uses of the
andandoroperators. This warning can be disabled using thenowarn_obsolete_bool_opcompiler option. -
The compiler will now warn for matches such as
{a,B} = {X,Y}, which is better written as{a=X,B=Y}. This warning can be disabled using thenowarn_match_alias_patsoption.
For a long time, there has been a warning for using the obsolete guard tests (such as list(L) instead of is_list(L). In Erlang/OTP 30, the old guards will be removed from the language.
STDLIB
- There are new functions for randomly permutating a list:
rand:shuffle/1andrand:shuffle_s/2.
SSH
- The default key exchange algorithm is now mlkem768x25519-sha256, a hybrid quantum-resistant algorithm combining ML-KEM-768 with X25519. This provides protection against both classical and quantum computer attacks while maintaining backward compatibility through automatic fallback to other algorithms when peers don't support it.
OTP 28.4.1
Patch Package: OTP 28.4.1
Git Tag: OTP-28.4.1
Date: 2026-03-12
Trouble Report Id: OTP-20007, OTP-20009, OTP-20011, OTP-20012,
OTP-20014, OTP-20018, OTP-20022
Seq num: CVE-2026-23941, CVE-2026-23942,
CVE-2026-23943, ERIERL-1303, ERIERL-1305,
GH-10694, PR-10707, PR-10798, PR-10809,
PR-10811, PR-10813, PR-10825, PR-10833
System: OTP
Release: 28
Application: crypto-5.8.3, inets-9.6.1, kernel-10.6.1,
ssh-5.5.1, ssl-11.5.3
Predecessor: OTP 28.4
Check out the git tag OTP-28.4.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
crypto-5.8.3
The crypto-5.8.3 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fix memory leak in
crypo:engine_loadif called with incorrect commands.Own Id: OTP-20014
Related Id(s): PR-10798
Full runtime dependencies of crypto-5.8.3
erts-9.0, kernel-6.0, stdlib-3.9
inets-9.6.1
The inets-9.6.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
The httpd server now rejects HTTP requests containing multiple Content-Length headers with different values, returning a 400 Bad Request response. This prevents potential HTTP request smuggling attacks. Thanks Luigino Camastra at Aisle Research for responsibly disclosing this vulnerability
Own Id: OTP-20007
Related Id(s): PR-10833, CVE-2026-23941
Full runtime dependencies of inets-9.6.1
erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0
kernel-10.6.1
The kernel-10.6.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
A vulnerability has been resolved in the (undocumented, unsupported and unused in OTP) inet_dns_tsig module that leads to a validation bypass.
If a request contained an error code (forbidden by spec), it was treated as a response and skipped the verification of the MAC. The user of the module would then receive an "all ok" response, depending on the use case, this could lead to such things as AXFR or UPDATE being allowed.
The code has also been tightening up of the client side to make sure too large (bad) MAC sizes cannot be selected and the limit is the output size of the algorithm chosen.
Own Id: OTP-20012
Related Id(s): PR-10825
Full runtime dependencies of kernel-10.6.1
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0
ssh-5.5.1
Note! The ssh-5.5.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependency has to be satisfied:
-- crypto-5.7 (first satisfied in OTP 28.1)
Fixed Bugs and Malfunctions
-
Fixed path traversal vulnerability in SFTP server's root option allowing authenticated users to access sibling directories with matching name prefixes. The root option used string prefix matching instead of path component validation. With {root, "/home/user1"}, attackers could access /home/user10/ or /home/user123/. Thanks to Luigino Camastra, Aisle Research.
Own Id: OTP-20009
Related Id(s): PR-10811, CVE-2026-23942 -
Fixed excessive memory usage vulnerability in SSH compression allowing attackers to consume system resources through decompression bombs. The 'zlib' and 'zlib@openssh.com' algorithms lacked decompression size limits, allowing 256 KB packets to expand to 255 MB (1029:1 ratio). This could lead to crashes on systems with limited memory.
The fix removes zlib from default compression algorithms and implements decompression size limits for both algorithms. Thanks to Igor Morgenstern at Aisle Research
Own Id: OTP-20011
Related Id(s): PR-10813, CVE-2026-23943
Full runtime dependencies of ssh-5.5.1
crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0
ssl-11.5.3
Note! The ssl-11.5.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependencies have to be satisfied:
-- crypto-5.8 (first satisfied in OTP 28.3)
-- public_key-1.18.3 (first satisfied in OTP 28.1)
Fixed Bugs and Malfunctions
-
TLS-1.3 certificate request now preserves the order of signature algorithms in certificate request extension to be in the servers preferred order, which might affect the choice made by some TLS clients.
Own Id: OTP-20022
Related Id(s): ERIERL-1305, GH-10694, PR-10707
Improvements and New Features
-
Document that setting transport protocol specific socket options is not generally expected to work for TLS and if it happens to work it comes with consequences that should be understood an accepted by the user. Also retain some backwards compatibility with such an option that happened to work to buy time for people to come up with better solutions.
Own Id: OTP-20018
Related Id(s): ERIERL-1303, PR-10809
Full runtime dependencies of ssl-11.5.3
crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.18.3, runtime_tools-1.15.1, stdlib-7.0
Thanks to
Alexander Clouter, Hewwho